Currently flowable associates a user task with assignee who can complete this task.
What is the way to associate a user task with set of users who would be read-only users for that task (i.e. they are able to see it but not act on it)?
The same question is for ‘cancel’ operation. How can I associate a user task or whole workflow instance with a set of users who can cancel it?
You can associate a group or set of users as “candidate” assignees, which means they can see the task if you look for candidates (see the Task UI). To work on the task, they need to claim it.
Furthermore, the engine allows to set arbitrary ‘identity links’ for tasks through the TaskService.addUserIdentityLink method (and similar others). These can be queried through the engine, but the engine won’t do anything permission-wise with the information, that’s logic you’d have to add yourself.